Uploaded image for project: 'Magnolia'
  1. Magnolia
  2. MAGNOLIA-1744

Content can be changed on a public instance by executing links designed for the MgnlInterceptFilter

    XMLWordPrintable

Details

    • Bug
    • Resolution: Fixed
    • Blocker
    • 3.0.4
    • 3.0.3
    • security
    • None

    Description

      It is possible to change content on a Magnolia public instance by executing links like the following:

      http://localhost:8080/public/home/partner.html?mgnlCK=1189687249674&mgnlIntercept=NODE_SORT&mgnlPathSelected=/home/partner/maincont/01&mgnlPathSortAbove=/home/partner/maincont/00

      This link - for example - moves a content node inside the node hierarchy.

      Maybe here is a good solution for this problem:

      The main problem is that the user's authority isn't checked inside the MgnlInterceptFilter.
      Inside the "doFilter"-Method the code should be changed like this:

      if (isAuthorized(request, response) && Server.isAdmin())

      { ... }

      This solution helps to prevent executing those "evil" links in the public instance.

      Checklists

        Acceptance criteria

        Attachments

          Issue Links

            Activity

              People

                pbaerfuss Philipp Bärfuss
                dknobloch Daniel Knobloch
                Votes:
                0 Vote for this issue
                Watchers:
                0 Start watching this issue

                Dates

                  Created:
                  Updated:
                  Resolved:

                  Checklists

                    Bug DoR
                    Task DoD